https://bugs.openldap.org/show_bug.cgi?id=10149
Issue ID: 10149 Summary: [PATCH] Allow certificates and keys to be read from URIs. Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs@openldap.org Reporter: minfrin@sharp.fm Target Milestone: ---
Add the LDAP_OPT_X_TLS_URIS and LDAP_OPT_X_TLS_CACERTURIS options to allow certificates and keys to be set using OpenSSL provider URIs.
The attached patch file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by Graham Leggett minfrin@sharp.fm. I have not assigned rights and/or interest in this work to any party.
The attached modifications to OpenLDAP Software are subject to the following notice: Copyright 2023 Graham Leggett Redistribution and use in source and binary forms, with or without modification, are permitted only as authorized by the OpenLDAP Public License.
https://bugs.openldap.org/show_bug.cgi?id=10149
--- Comment #1 from minfrin@sharp.fm minfrin@sharp.fm --- Created attachment 996 --> https://bugs.openldap.org/attachment.cgi?id=996&action=edit Allow certificates and keys to be read from URIs.
https://bugs.openldap.org/show_bug.cgi?id=10149
--- Comment #2 from minfrin@sharp.fm minfrin@sharp.fm --- Also visible here: https://github.com/openldap/openldap/pull/11
https://bugs.openldap.org/show_bug.cgi?id=10149
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords|needs_review | Target Milestone|--- |2.7.0
https://bugs.openldap.org/show_bug.cgi?id=10149
minfrin@sharp.fm minfrin@sharp.fm changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #996 is|0 |1 obsolete| |
--- Comment #3 from minfrin@sharp.fm minfrin@sharp.fm --- Created attachment 1000 --> https://bugs.openldap.org/attachment.cgi?id=1000&action=edit Allow certificates and keys to be read from URIs.
Man page updates with examples of uris.
https://bugs.openldap.org/show_bug.cgi?id=10149
--- Comment #4 from minfrin@sharp.fm minfrin@sharp.fm --- Quick ping on this one.
This patch blocks the fixing of secure replication support in 389ds, which is currently limited to a restrictive certificate setup and is in turn fixed in https://github.com/389ds/389-ds-base/pull/6021.
Is there an option to have this included in the v2.6.x branch?
https://bugs.openldap.org/show_bug.cgi?id=10149
--- Comment #5 from Ondřej Kuzník ondra@mistotebe.net --- On Sun, Jan 12, 2025 at 10:47:45AM +0000, openldap-its@openldap.org wrote:
Quick ping on this one.
This patch blocks the fixing of secure replication support in 389ds, which is currently limited to a restrictive certificate setup and is in turn fixed in https://github.com/389ds/389-ds-base/pull/6021.
Hi Graham, would you be able to explain in more detail what this provides that cannot be achieved with existing options like LDAP_OPT_X_TLS_CACERT, ...?
Also if you want to open a MR on git.openldap.org, that would make review much easier for all involved but we don't insist on going that route. If you need your Gitlab account to be confirmed, please provide your account name here (and make sure its email matches your Bugzilla email).
Is there an option to have this included in the v2.6.x branch?
As a significant change in library API, I feel it unlikely to land in 2.6 unless it can be shown that it has no impact on existing installations.
Thanks,
-
openldap-its@openldap.org